Your message dated Sat, 31 Aug 2024 12:30:55 +0100
with message-id
<27c418b1a49ffc566f1b9635359e59f6a742be26.ca...@adam-barratt.org.uk>
and subject line Closing bugs for 11.11
has caused the Debian Bug report #1078169,
regarding bullseye-pu: package xmedcon/0.16.3+dfsg-1+deb11u1
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1078169: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078169
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bullseye
X-Debbugs-Cc: xmed...@packages.debian.org
Control: affects -1 + src:xmedcon
User: release.debian....@packages.debian.org
Usertags: pu
Greetings,
This is basically the same request as #1077549 except this time
it is for oldstable bullseye.
[ Reason ]
xmedcon in bullseye is affected by CVE-2024-29421. It is,
quoting the description: "vulnerable to Buffer Overflow via
libs/dicom/basic.c which allows an attacker to execute arbitrary
code". It is currently rated minor by the security team, hence
following the proposed-update process instead of a security
update. The issue is tracked in #1077369.
[ Impact ]
xmedcon in bullseye will remain vulnerable to the risk of
execution of arbitrary code if left unchanged.
[ Tests ]
The package does not ship with automated tests, but I verified
manually that the patch in upstream code did not provoke any
obvious breakages by visualising some dicom image taken from
other Debian Med sample files. I also verified that the dicom
visualizer amide, which depends on the libmdc3, was not showing
obvious breakages caused by the change.
[ Risks ]
The patch fits in a screen and felt fairly obvious what is was
doing to me, so I don't believe it's highly risky. It has one
reverse dependency, amide, that does not seem to show much
issues with the change this far.
[ Checklist ]
[*] *all* changes are documented in the d/changelog
[*] I reviewed all changes and I approve them
[*] attach debdiff against the package in oldstable
[*] the issue is verified as fixed in unstable
[ Changes ]
This revision introduces a patch to dicom loading functions,
originating from upstream xmedcon 0.24.0, containing a change
which is intended to guard against large element length and
error out instead of running into buffer overflow conditions.
[ Other info ]
Have a nice day, :)
--
.''`. Étienne Mollier <emoll...@debian.org>
: :' : pgp: 8f91 b227 c7d6 f2b1 948c 8236 793c f67e 8f0d 11da
`. `' sent from /dev/pts/0, please excuse my verbosity
`-
diff -Nru xmedcon-0.16.3+dfsg/debian/changelog
xmedcon-0.16.3+dfsg/debian/changelog
--- xmedcon-0.16.3+dfsg/debian/changelog 2020-12-07 15:51:18.000000000
+0100
+++ xmedcon-0.16.3+dfsg/debian/changelog 2024-08-07 18:10:18.000000000
+0200
@@ -1,3 +1,10 @@
+xmedcon (0.16.3+dfsg-1+deb11u1) bullseye; urgency=medium
+
+ * Team upload.
+ * CVE-2024-29421.patch: new: fix CVE-2024-29421. (Closes: #1077369)
+
+ -- Étienne Mollier <emoll...@debian.org> Wed, 07 Aug 2024 18:10:18 +0200
+
xmedcon (0.16.3+dfsg-1) unstable; urgency=medium
* Build-Depends: s/libnifti-dev/libnifti2-dev/
diff -Nru xmedcon-0.16.3+dfsg/debian/patches/CVE-2024-29421.patch
xmedcon-0.16.3+dfsg/debian/patches/CVE-2024-29421.patch
--- xmedcon-0.16.3+dfsg/debian/patches/CVE-2024-29421.patch 1970-01-01
01:00:00.000000000 +0100
+++ xmedcon-0.16.3+dfsg/debian/patches/CVE-2024-29421.patch 2024-08-07
18:08:39.000000000 +0200
@@ -0,0 +1,47 @@
+Description: Prevent overflow of value before a malloc().
+ This patch includes commits a35cd9b856c23e20cc1753e36cd9228391366082
+ from upstream, and 5131a648f09a82c26088b340bdd983fd09a6e19e for
+ additional error messaging. This fixes CVE-2024-29421.
+
+Author: Erik Nolf
+Origin: upstream,
+
https://sourceforge.net/p/xmedcon/code/ci/5131a648f09a82c26088b340bdd983fd09a6e19e/,
+
https://sourceforge.net/p/xmedcon/code/ci/434925fca63c855dd6d24e4c018c2fa745646f9e/
+Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1077369
+Reviewed-by: Étienne Mollier <emoll...@debian.org>
+Last-Update: 2024-08-07
+---
+This patch header follows DEP-3: http://dep.debian.net/deps/dep3/
+--- a/libs/dicom/basic.c
++++ b/libs/dicom/basic.c
+@@ -401,6 +401,16 @@ int dicom_load(VR vr)
+ if (element.vr==SQ || element.length==0xFFFFFFFF)
+ return 0;
+
++ /* eNlf: - simply prevent length values that will overflow */
++ /* eNlf: when we sum with an extra 4 bytes; thus preventing */
++ /* eNlf: a heap overflow due to a small value at malloc() */
++ /* eNlf: notified by Spike Reply Cyber Security Team */
++ if (element.length > (0xFFFFFFFF - 4)) {
++ dicom_log(ERROR,"Unsupported element length");
++ dicom_close();
++ return -4;
++ }
++
+ if (element.group==0xFFFE)
+ if (!element.encapsulated)
+ return 0;
+@@ -499,6 +509,13 @@ int mdc_dicom_load(VR vr)
+ if (element.vr==SQ || element.length==0xFFFFFFFF)
+ return 0;
+
++ /* eNlf: prevent overflowed value - see dicom_load() */
++ if (element.length > (0xFFFFFFFF - 4)) {
++ dicom_log(ERROR,"Unsupported element length");
++ dicom_close();
++ return -4;
++ }
++
+ if (element.group==0xFFFE)
+ if (!element.encapsulated)
+ return 0;
diff -Nru xmedcon-0.16.3+dfsg/debian/patches/series
xmedcon-0.16.3+dfsg/debian/patches/series
--- xmedcon-0.16.3+dfsg/debian/patches/series 2020-12-07 15:51:18.000000000
+0100
+++ xmedcon-0.16.3+dfsg/debian/patches/series 2024-08-07 18:08:39.000000000
+0200
@@ -2,3 +2,4 @@
add_gtk_libraries_to_linker.patch
use_debian_packaged_niftilib.patch
cross.patch
+CVE-2024-29421.patch
signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
Package: release.debian.org
Version: 11.11
Hi,
Each of these bugs relates to an update including in today's final
bullseye 11.11 point release.
Regards,
Adam
--- End Message ---
